New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloud Metadata Potentially Exposed false positive #7033
Comments
Leverage custom error pages? They exist to facilitate this exact issue, when apps/servers don't follow industry standards. |
Actually it looks like this rule might need to be adapted to leverage custom error pages, however that's a fairly simple change: |
Custom error pages would indeed be a quick fix for this issue. It would be really cool if we can detect such scenarios automatically. There's some work for this in zaproxy/zap/src/main/java/org/parosproxy/paros/core/scanner/Analyser.java Lines 415 to 460 in 8ac4b10
|
This scan rule could do a prelim dummy request ( |
Cool, I think that would solve the issue in most cases, except when the response body contains (part of) the url, thus not being identical on a random request. |
@kingthorin did you check if with the custom pages the issue is addressed already? The Analyser does what's being suggested here and iirc the custom pages uses the Analyser. |
I haven't checked yet. I do recall that we leveraged the analyser in some of the checks/methods I just don't recall which off the top of my head. |
If the check of the header status code was replaced with |
Awesome, thanks a lot! |
I know this is closed, but this test seems to be looking for some VERY specific content. I know customer error pages work is complete, but could/should add some response content checking here given that it's targeting some well known patterns? |
Sure if there are known/stable patterns to look for. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Describe the bug
The Cloud Metadata Potentially Exposed active rule generates false-positives for all 200 pages that instead do errorhandling/redirect using JavaScript.
To Reproduce
Example (reduced) response body that triggers an alert:
Expected behavior
The active rule detects the redirect and does not trigger an alert.
Software versions
Would you like to help fix this issue?
Of course, but Java is not my best.
The text was updated successfully, but these errors were encountered: